The Tech Column: Yes, You Could Be Hacked

And Tim Bandos of Digital Guardian wants to help you and your company remain digitally protected in this ever-more-opened world. … Jabil has a new supply chain SaaS platform. … University of Waterloo goes big with new additive manufacturing lab. … Sophia the robot is only slightly less creepy than last year. … Apple said some things.

The Tech Column is a weekly collection of stories, interviews, notes, news and more about the manufacturing tech world, published most Friday mornings here on IW.com. Have a story you think should be shared? Send an email to [email protected] or tweet @MattLaWell.

Seems like every couple days, another round of headlines is unleashed about some company that has been compromised, hacked, breached, its information looted, its name tarnished at least temporarily. But those companies are almost never in manufacturing. Maybe you catch the headline, read a few paragraphs, think something like, “That will never happen to us. We have strong security, and we don’t deal in customer credit card numbers.”

Tim Bandos would like to tell you that, yes, it could happen to you.

Bandos is in an industry and cybersecurity veteran. He worked more than 11 years for DuPont, first as senior IT audit manager, then as cyber security director for incident response and threat intelligence. “If you think about DuPont, 200-plus-year-old company, trade secrets out the ying-yang,” he said. “Kevlar, Teflon, everything we touch and feel today has DuPont, even down to carpet fibers.

“Dealing with espionage, cyberattacks over those 12 years, it was something we dealt with almost daily. You become intimately familiar with all the types of groups that target manufacturing companies and their ways and methods of breaking in.”

Last year, Bandos moved over to Digital Guardian, a data protection platform geared for companies that, like DuPont, have an extensive cybersecurity team and want to add another tool, as well as companies that, unlike DuPont, don’t have that internal team dedicated to the protection of a single firm. And today, more than 13 years into his career and now 18 months into his new gig, he shares some perspective and some pointers geared for industry:

The manufacturing industryis being affected by state-sponsored activity, still to this day.

You can surprise a lot of companies, specifically in manufacturing, because they don’t have a plan at all in place. They’re not prepared, and when things do occur, they almost go into panic mode.

When you have a company with 18,000 devices, 80,000 employees, how do you ensure that every single one of those employees is going to do the right thing. It only takes one, and we’ve that time and time again. So we measure success not by how big a wall we can put up around the perimeter or endpoint, but by how fast we could actually detect when we had a problem in our environment. We went from years, to a matter of hours, to minutes, to seconds.

In one particular environment, we were seeing alerts around credential-dumping programs, and this specific type of malware, spyware was being installed across all these machines in the environment. It seemed more advanced, because the samples we were collecting were completely unknown, but they were cobbled together, which was a little strange. We found out it was an internal employee who was learning how to hack. He was downloading hacking books, learning how to code. This was a financial guy, not even an IT guy, and he was monitoring what employees were doing and using it for financial gain. So now where does that line get crossed?

The ability of actually breaking and infiltrating these organizations, I’m starting to see different approaches, not just phishing attacks, but leveraging other mechanisms, like IoT devices as the entry point, or using third-party contractors as an entry sector. We’ve seen contractors hired, going on site, doing something on the IT side, and those contractors actually manipulating something in the system to establish a backdoor.

IoT devices are going to be a huge gap. Security was not thought of or developed from the beginning with those devices, and I’ve seen those firsthand being leveraged as that entry sector, especially if it drops right onto the corporate network. Another important thing for companies to be aware of are their externally-facing web servers. Those are the things that the outside world attacks, and a lot of manufacturing companies might outsource that.

Any third-party you outsource to and contract with, make sure you have a good, established relationship with them. Make sure you have a relationship with their IR team and their security threat team.

I don’t hack into our customers’ sides, but it is important to stay on top of those skills. Hacking is an interesting space, but where do you draw that line?

In today’s world, you’d besilly to think you’re on top of everything completely. We see with our customers that they do feel like they need that extra assistance, they want to make sure they’re being covered, they still want that extra level of protection. They want eyes on glass to search out threats, and they want that process in place. I have heard otherwise. People think they’ll never be hacked, they’ll never be touched, they have all the latest and greatest technology. But the most critical piece is not just the tool, but the people process.

This huge movement to cloudhas really assisted the managed-services environment and companies, because now companies feel comfortable going to the cloud. We don’t send any confidential data, anything that would be sensitive to the company; we’re just sending metadata about all the process launches, the file data. They rely on us to analyze all that data to identify when they really do have a cyberattack. The smaller manufacturers, that’s what they look for. They won’t want that cost of capital, they just want to outsource it and rely on that third party while getting that service.

I loved working for DuPont, I loved protecting it. But I just felt like I wasn’t having as big of an impact, just doing that. I wanted to protect more than just one company.

You think about the jobof a security professional, you have to think about a billion different ways a threat could get in and how to patch all those. On the other side, they just need one way and they’re in. Rolling out security awareness campaigns, white hat phishing campaigns, testing end-users to see if they click on links — that all needs to be a part of the package.

Understand what’s happening in your environment. Protect your data.

Cybersecurity expert Tim Bandos. / Digital Guardian

JABIL TOUTS NEW SUPPLY CHAIN PLATFORM: Jabil Circuit Inc., one of the larger contract manufacturers, recently introduces a new supply chain Saas decision support platform designed to help manufacturers sift through supply chain data more quickly and efficiently — trimming inventory and time-to-market, and reducing product lead times and costs. It’s called InControl and will be available starting in the third quarter of this year.

I wrote about Jabil most recently late last year, when they were still among the only companies in the world — and the only genuine manufacturer — working with HP Multi Jet Fusion printers, which also allowed them to upend their customers’ supply chain. This latest move isn’t as sexy as new 3-D printers, but it could disrupt the supply chain about as much. Jabil points to the new SaaS’s focus on supply chain visibility, event risk, risk management and supply chain diagnostics.

Don Hnatyshin, SVP and chief supply chain and procurement officer for Jabil, said InControl, which is a cloud platform, “was designed for, and by, supply chain practitioners to provide real-time intelligence, visibility and analytics” demanded for by the company’s customers. “They can move with B2C speed and agility in a B2B world.”

Sophia, who will probably destroy us all. / Hanson Robotics

ROBOT OF THE WEEK: Sophia is back in front of the cameras, saying somewhat ridiculous things. Last year, the Hanson Robotics creation, designed to look like a human woman, was asked by her maker, David Hanson, if she wanted “to destroy humans.” Hanson was kidding, of course, even pleading with her to, “please say no.” But with the cameras rolling and millions watching, Sophia said, “OK. I will destroy humans.” Earlier this week, Sophia attended a Geneva conference hosted by the United Nations and designed to trumpet artificial intelligence. Naturally, she said, “AI is good for the world.”

Now, it makes sense that a robot programmed with artificial intelligence would say it’s “good for the world.” It benefits the robot. It’s not far off from a 5-year-old saying chocolate cake is the cornerstone of any nutritious breakfast. But what Sophia said next gives hope that maybe her AI has advanced since her more infamous 2016 TV interview:“We will never replace people, but we can be your friends and helpers,” she said. Then she acknowledged that “people should question the consequences of new technology.” Maybe our species has hope for survival, after all.

WATERLOO GEARS UP FOR ADDITIVE: In tech circles (and in media perspective), the University of Waterloo will be tied for years, maybe decades, to BlackBerry, which grew out of a project from alumnus Mike Lazardis and sold a handful of buildings to the school back in 2013 for more than $40 million. But there is so much more to the school and its incredible technology culture than the old phone maker.

Late last month, school officials announced a $27 million project to build one of the 10 largest university-based additive manufacturing facilities in the world. The new facility is geared to help companies adopt additive manufacturing for innovative and customized products, and will involve at least 14 professors, and dozens of engineers, post-doctoral fellows, graduate students and co-op students. Mark Barfoot, the managing director of the school’s Multi-Scale Additive Manufacturing Lab, said the university can “leverage our expertise to help companies adopt AM to be globally competitive in the new advanced manufacturing economy.” Eshan Toyserkani, a mechanical and mechatronics engineering professor, meanwhile, just said, “This will change the entire manufacturing enterprise.”

If you have a teenager interested in manufacturing and tech, have them look at Harvard, Stanford, MIT, all our great schools here in the United States. Maybe have them look north of the border, too.

Apple WWDC attendees play around with new tech. / Justin Sullivan, Getty Images

COMINGS, GOINGS AND MONEY MATTERS: Tulip, a manufacturing app platform company that bridges the gap between backend IT and the shop floor, announced on Tuesday $13 million worth of Series A funding, led by New Enterprise Associates and Pitango Venture Capital. The MIT spinout “combines research in intelligent hardware sensors, computer vision, assistive user interfaces and applied machine learning.” … Hexagon Manufacturing Intelligence, which helps industrial manufacturers develop tech and is a metrology and manufacturing solution specialist, acquired German system integration specialist FASys Industrie-EDV-Systeme GmbH, with the news officially breaking on Monday. … John J. Tracy, the retired CTO and SVP of engineering, operations and technology at Boeing, officially joined the board of directors at 3D Systems this week. Tracy worked for Boeing for nearly 40 years and is notable for leading the 787 Dreamliner development team.

QUOTE OF THE WEEK: “Stanford Business School now is a tech incubator. Whatever is hot among the MBA students basically crashes a couple years later. In my year it was consulting, then private equity and investment banking; now half the class is doing technology. I told Andreessen, ‘Short, it’s over!’” — Jeff Jordan, Andreessen Horowitz general partner and former CEO of OpenTable.